Some HTTP request requires authentication, some requests are no, but if usage of { credentials: "include" } is not the vulnerability, why not always keep "include"value?
Credentials are sensitive by nature. If you can reduce the amount of places credentials are sent, risk is reduced. Furthermore, including credentials must be specifically permitted by cross-origin requests, and if other origins don't opt in to this, then a credentials: include will cause the request to fail.
I think the principle of least privilege somewhat applies here: https://en.wikipedia.org/wiki/Principle_of_least_privilege